The Kerberos Key Distribution Center (KDC) uses a key ticket version to ensure that the keys are current across domain controllers acting as KDCs. The key ticket version is replicated to the other domain controllers by using Active Directory Domain Services (AD DS) replication.

Event Details

Product:

Windows Operating System

ID:

28

Source:

Microsoft-Windows-Kerberos-Key-Distribution-Center

Version:

6.0

Symbolic Name:

KDCEVENT_REFERAL_KEY_NOT_AVAILABLE

Message:

When generating a cross realm referal from domain %1 the KDC was not able to find the suitable key to verify the ticket. The ticket key version in the request was %2 and the available key version was %3. This most common reason for this error is a delay in replicating the keys. In order to remove this problem try forcing replication or wait for the replication of keys to occur.

Resolve

Force Active Directory replication

To resolve this issue, you must force Active Directory replication by using Active Directory Sites and Services.

Note: The Active Directory Domain Services (AD DS) domain that is not replicating is identified in the event log message.

To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

To force Active Directory replication by using Active Directory Sites and Services:

Log on to a computer that has Active Directory Sites and Services installed. It is installed by default on a domain controller.

Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

Expand the site in which the domain controller is located.

Expand Servers, and then expand the domain controller.

In the details pane, right-click the connection over which you want to replicate directory information, and then click Replicate Now.

Verify

To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

To verify that Active Directory Domain Services (AD DS) replication is working correctly:

Log on to a domain controller within your domain.

Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

Type dcdiag /test:replications, and then press ENTER.

The output of the command will report whether AD DS replication was successful.